CVE-2024-48286
Published: 21 November 2024
Summary
CVE-2024-48286 is a high-severity Command Injection (CWE-77) vulnerability in Linksys E3000 Firmware. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-48286 is a command injection vulnerability in the Linksys E3000 router running firmware version 1.0.06.002_US, specifically within the diag_ping_start function. The flaw is tracked under CWE-77 and carries a CVSS 3.1 base score of 8.0, reflecting network attack vector, low attack complexity, and low privileges required.
An attacker who can reach the device's web interface can supply crafted input to the affected function, resulting in arbitrary command execution on the device. Successful exploitation grants the attacker the ability to read, modify, or delete data and fully compromise the router's confidentiality, integrity, and availability.
A publicly available proof-of-concept exploit has been published on GitHub. The current EPSS score of 0.2897 matches its recorded peak and does not indicate a post-disclosure rise in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43171
Vulnerability details
Linksys E3000 1.0.06.002_US is vulnerable to command injection via the diag_ping_start function.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.